cancel
Showing results for 
Search instead for 
Did you mean: 

Passwords and learning from others mistakes

phil4
Grafter
Posts: 244
Registered: ‎13-12-2007

Passwords and learning from others mistakes

Dear Plusnet,
You may have noticed the recent press about Fasthosts and their password problems (in short they stored users passwords unencrypted/unhashed, someone managed to hack in and steal the passwords).
I had cause to call up Plusnet tech support and was very suprirsed to be asked my password by the operative who answered the phone.
This suggested to me that either plusnet stored passwords in plain text, or that at least one plusnet employee now knows my password.
I wonder if Plusnet have any plans to move away from this method of storing passwords in plain or requiring users to supply them to operatives.  (Part of me hopes that the employee was following Plusnet processes and not just harvesting passwords for their own nerfarious purposes).
I don't really need the Fasthosts problems to understand why being asked for my password is bad, nor am I so naive as to not understand how beneficial knowing the U/P of the user is to support.  But in light of current problems at other places I wonder if the tide is changing and if Plusnet feel that they should do things differently?
35 REPLIES 35
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: Passwords and learning from others mistakes

In what context were you asked for your password?
I assume that you have since changed your password?
See https://www.grc.com/passwords.htm for a difficult password.

"In The Beginning Was The Word, And The Word Was Aardvark."

Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: Passwords and learning from others mistakes

Interesting question and a very relevant one.
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
Hope this helps.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
phil4
Grafter
Posts: 244
Registered: ‎13-12-2007

Re: Passwords and learning from others mistakes

Quote from: Chris
Interesting question and a very relevant one.
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.
Hope this helps.

Thanks for the reply, that instills a little more confidence.  But operatives do get to see the whole password, though that access is logged?
Thank you.
phil4
Grafter
Posts: 244
Registered: ‎13-12-2007

Re: Passwords and learning from others mistakes

Quote from: axisofevil
In what context were you asked for your password?
I assume that you have since changed your password?

I called to discuss a home move process, and no I've not changed the password yet (its only used for plusnet, so no cross-contamination).
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: Passwords and learning from others mistakes

Quote from: phil4
I called to discuss a home move process, and no I've not changed the password yet (its only used for plusnet, so no cross-contamination).

I've realized that the widespread nature of the PlusNet site means that using a weak password is very bad. I tend to use a very weak password for non-financial related transactions.
On PlusNet I can sign in and see part of my sort code and part of my account number - but my full bank account name. Provided I'm not called John Smith, there are many searches that would give my full name and address.
I'm going to change my PlusNet password immediately!!!

"In The Beginning Was The Word, And The Word Was Aardvark."

Mav
Moderator
Moderator
Posts: 22,371
Thanks: 4,725
Fixes: 514
Registered: ‎06-04-2007

Re: Passwords and learning from others mistakes

I have never been asked for my full password when telephoning support, only the last two characters. I assumed, it seems wrongly, that the CS agent could only see those two characters.
Could the system not be set so that only two random characters are shown to the agent for requesting the security check?
This would, probably, give many more people peace of mind.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: Passwords and learning from others mistakes

The question that then throws up is how do we perform diagnostics? We sometimes need to dialtest as a customer, or log on to a mailbox, or try logging in to the portal. Without the full password this wouldn't be possible.
I appreciate the security concerns, however with the audit trail in place we cover the issues.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
Spider
Grafter
Posts: 1,100
Registered: ‎05-04-2007

Re: Passwords and learning from others mistakes

I would disagree. You may be able to trace who accessed the account but it would not stop the breach in the first place. A better system would be that each staff member as a set of privileges and their own unique password. They could then access the customers account (but only to the level set by the privilege) via this back door route and the access would be logged. The password in full should never be available on screen for anybody to see!
James
Grafter
Posts: 21,036
Thanks: 5
Registered: ‎04-04-2007

Re: Passwords and learning from others mistakes

Hi guys,
I've highlighted this thread to our Security Manager.
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Passwords and learning from others mistakes

Quote from: Spider
A better system would be that each staff member as a set of privileges and their own unique password.

This is already the case now.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Spider
Grafter
Posts: 1,100
Registered: ‎05-04-2007

Re: Passwords and learning from others mistakes

In which case why would a staff member need to see the customers password or have need to use it?
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Passwords and learning from others mistakes

As a way of confirming that the person they are speaking to on the phone is the account holder - which brings us back to where this topic started!
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Spider
Grafter
Posts: 1,100
Registered: ‎05-04-2007

Re: Passwords and learning from others mistakes

This does not need a staff member to see the full password. The system could ask for 2 letters at random. The staff member then inputs the customers response into the system. The system checks the letters and then says whether they are correct or not.
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Passwords and learning from others mistakes

Good idea!
There would still be occasions when they would need the full password. For example a "dial test" (on a test ADSL line they put the users login and password to check how the system behaves - needed if incorrect service offering problems are suspected).
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)